Looking at the responses to my original email and doing some further
research, the summary of pluses/minuses would be:
1) unbound(8) resolving via root DNS servers
+ Most accurate results, since it bypasses any intermediaries.
- Increased lookup time and higher load on authoritative DNS servers.
- Some servers won't support DNS over TLS, hence my ISP can monitor
those searches.
2) unbound(8) resolving via external forwarders (e.g Cloudflare)
+ Faster lookup time.
+ DNS over TLS is always supported, hence hidden from my ISP.
- Cloudflare can monitor those searches.
? Have to trust Cloudflare that the results are accurate.
+ Cloudflare DNS servers seem to support encrypted SNI.
There is still a separate issue of unencrypted TLS SNI, leaking
information in plain text. Seems like Firefox can support it when the
following config setting is set to true
network.security.esni.enabled
